* [bug#75026] [PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
@ 2024-12-22 16:00 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression Maxim Cournoyer
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:00 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/tls.scm (gnutls): Update to 3.8.8.
[source]: Delete patches.
[arguments]: Mark failing tests via XFAIL_TESTS make flag.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
---
gnu/local.mk | 1 -
.../gnutls-skip-trust-store-test.patch | 15 -----------
gnu/packages/tls.scm | 25 ++++++++++---------
3 files changed, 13 insertions(+), 28 deletions(-)
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 8155a5ae34..a4f2e71134 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1477,7 +1477,6 @@ dist_patch_DATA = \
%D%/packages/patches/gnumach-version.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
- %D%/packages/patches/gnutls-skip-trust-store-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- } else if (ret < 0) {
- fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- } else if (ret == 0) {
-- fail("no certificates were found in system trust store!\n");
-+ success("no trust store in the Guix build environment!\n");
- }
-
- gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5f3bc72f6e..ecdfb5c0e5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,7 +201,7 @@ (define-public p11-kit
(define-public gnutls
(package
(name "gnutls")
- (version "3.8.3")
+ (version "3.8.8")
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -209,10 +209,9 @@ (define-public gnutls
(uri (string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))
+ "1yyq74lzlnkgwbr269mddi9vqi1j0dcnw8pdh09vb01qb0704kxc"))))
(build-system gnu-build-system)
(arguments
(list #:tests? (not (or (%current-target-system)
@@ -242,17 +241,19 @@ (define-public gnutls
;; not working on mips64el.
"--without-p11-kit")
'())))
-
+ #:make-flags
+ #~(list (string-append
+ "XFAIL_TESTS="
+ ;; This test checks that the default trust store is
+ ;; readable; expect it to fail since the trust store
+ ;; doesn't exist in the build environment.
+ "trust-store "
+ ;; This one fails only inside the build environment, for
+ ;; reasons unknown (see:
+ ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
+ "tls13/compress-cert-neg2 "))
#:phases
#~(modify-phases %standard-phases
- ;; fastopen.sh fails to connect to the server in the builder
- ;; environment (see:
- ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
- (add-after 'unpack 'disable-failing-tests
- (lambda _
- (substitute* "tests/fastopen.sh"
- (("^unset RETCODE")
- "exit 77\n")))) ;skip
#$@(if (target-ppc32?)
;; https://gitlab.com/gnutls/gnutls/-/issues/1354
;; Extend the test timeout from the default of 20 * 1000
--
2.46.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.
2024-12-22 15:52 [bug#75026] [PATCH core-updates 0/7] Update gnutls and curl Maxim Cournoyer
` (4 preceding siblings ...)
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 5/7] gnu: libidn: Update to 1.42 Maxim Cournoyer
@ 2024-12-22 16:01 ` Maxim Cournoyer
2024-12-22 16:01 ` [bug#75026] [PATCH core-updates 7/7] gnu: curl: Enable zstd support Maxim Cournoyer
6 siblings, 0 replies; 8+ messages in thread
From: Maxim Cournoyer @ 2024-12-22 16:01 UTC (permalink / raw)
To: 75026; +Cc: Maxim Cournoyer
* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.
Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
gnu/local.mk | 1 -
gnu/packages/curl.scm | 47 ++--
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
3 files changed, 19 insertions(+), 229 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
- (replacement curl/fixed)
+ (version "8.11.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -115,20 +116,20 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(string-append "TFLAGS="
+ job-count " "
+ (if #$(or (system-hurd?)
+ (target-arm32?)
+ (target-aarch64?))
+ "~1474 " ;protocol FAIL
+ "")
+ ;; protocol FAIL
+ "~962 ~963 ~964 ~965 ~966 ~967 "
+ ;; These fail for unknown reasons.
+ "~165 ~1448 ~2046 ~2047"))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(>ls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");
--
2.46.0
^ permalink raw reply related [flat|nested] 8+ messages in thread